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encompassing brands, agencies and marketing service companies. 


Please visit our website www.dma.org.uk for more information about us. 
Introduction: 


e The DMA welcomes the opportunity to respond to this consultation. The Direct Marketing Guidance 
was an important piece of guidance when it was first issued back in 2013, and with the updated 
version in 2016, it has been the basic reference for all direct marketing. 


e With its elevation to a Code of Practice under the Data Protection Act 2018, this gives the ICO an 
opportunity to make the Code the premier resource for any organisation looking to carry out direct 
marketing. To do this the Code would need to expand its scope in recognition of the pivotal role of 
data and marketing to the UK economy. This is an opportunity to provide specific guidance on not only 
the channel specific rules, but on how organisations decide on what data they will use for marketing 
campaigns, and if that data is acquired lawfully and fairly. 


Customer-first 


e Atthe heart of the DMA code—which all of our members sign up to—is putting the customer first. We 
believe that when consumers trust and respect the brands that they use, a lasting relationship is 
formed. Not only is this the right thing to do, but also these trusting relationships tend to be the most 
profitable. 


e This customer-first approach guides our members and the DMA’s response to this call for views. 
Marketing thrives as a sector when it engenders trust with people. Once trust is lost it takes a long 
time to regain, if at all. The ICO’s Direct Marketing Guidance is an opportunity to drive customer first 
approaches across the marketing sector and to foster long-term customer relationships. 


e The new Code should acknowledge the DMA Code and more broadly the role of industry codes in 
driving best practice. The principles based DMA Code is concise and easy for marketers to understand 
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and abide by. The ICO would encourage a consistent approach across data and marketing by 
acknowledging and referring to the principles of the DMA Code: 
o Put your customer first 
Respect privacy 
Be honest and fair 
Be diligent with data 
Take responsibility 


Or On OwO 


Consultation questions 


Q1. The code will address the changes in data protection legislation and the implications for direct 
marketing. What changes to the data protection legislation do you think we should focus on in the direct 
marketing code? 


e Inthis section we outline what topics we think the new Code should cover and give examples and case 
studies where appropriate. 


Interaction between the Privacy and Electronic Communications Regulations (PECR) and the General Data 
Protection Regulation (GDPR) 


e The first two versions of the Direct Marketing Guidance primarily focused on electronic marketing 
under PECR and consequently concentrated on consent as the lawful basis for marketing. The new 
Code must expand its focus and include the other legal bases in GDPR, although the two that are most 
likely to be used for marketing activities are consent and legitimate interests. 


e The new Code should emphasise that there is no hierarchy of lawful bases and that all are equally 
valid. 


e The Code must cover all the different marketing channels and not just focus on electronic marketing, 
which is covered by PECR. Both offline and online channels should have fair representation in the 
guidance, with plenty of examples. 


Postal marketing 


e Postal marketing is an integral part of the marketing mix. However, organisations are unclear about 
what lawful basis they can rely on. Recital 47 of the GDPR states “the processing of personal data for 
direct marketing purposes may be regarded as carried out for a legitimate interest.” Furthermore, the 
ICO has previously stated that “consent is not required for postal marketing”. However, many 
organisations are not clear what the correct lawful basis is. 


e The Code should make it plain where legitimate interests can be used as the appropriate legal ground 
for postal marketing and what requirements an organisation must meet in its legitimate interest 
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assessment (LIA). 


e Example: Postal marketing and legitimate interest 


A catalogue company purchases a new data set from a data provider and then sends a catalogue to 
these potential customers. The catalogue company rely on legitimate interest and do not ask for 
consent. However, the privacy notice on the catalogue mailer explains that people can opt-out and 
directs individuals online where more information is available. 


Live Telemarketing 


e Telemarketing faces similar issues to postal marketing as it is a marketing channel that has not 
previously required consent. However, since GDPR marketers have been uncertain what lawful basis is 
most appropriate for telemarketing. 


e  |t is the DMA’s understanding that live telemarketing calls can take place under legitimate interest but 
subject to a balancing test and screening the data against the Telephone or Corporate Telephone 
Preference Service. 


e Example: Contact centre 


A contact centre makes outbound telemarketing calls to consumers on behalf of their clients that come 
from a diverse range of sectors. All phone numbers are screened against the TPS before any calls are 
made. The client and the contact centre rely on legitimate interest as their lawful basis. 


B2B Marketing 


e The old Code focussed on B2C marketing and most case studies were from B2C marketing. It is 
important that the guidance uses a variety of case studies from both a B2C and B2B marketing 
perspective. 


e The corporate subscriber exemption under PECR is sometimes misunderstood by B2B marketers who 
do not realise that you must ask for consent if you are emailing an employee of a sole trader but do not 
need to if you are emailing an individual working for a limited company. The exemption should be 
explained in simple terms and given prominence in the new Code. 


e Example: B2B marketing to existing customers 


A company selling a customer relationship management platform sends out marketing email to 
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existing customers 12 months after their purchase to advertise other complementary services. Is the 
company allowed to do this and what is the appropriate lawful basis? 


Third party data 


e The new Code must make clear what lawful bases can be relied upon in order to collect, share and buy 
third party data for direct marketing. 


e Since the introduction of GDPR, marketers have been unclear to what extent they can use third party 
data for marketing. There is also a lack of guidance from the ICO. As a result, organisations have 
stopped using third party lists for new marketing campaigns as they are unsure whether lists sold by 
vendors are compliant with GDPR. 


e Practically, it is impossible for a third party data provider to build a data set using consent as a legal 
basis. The provider will not know who their future clients are so will be unable to inform the data 
subject of the recipient of the data when it is collected. As a result, providers have been relying on 
legitimate interest as an alternative lawful basis for third party marketing. In general the DMA supports 
this approach but it is dependent on the context. Marketers are unclear whether legitimate interest 
can be relied upon as the lawful basis for the collection, sharing and use of third party data for direct 
marketing. 


e The new Code must use third party data examples to give clarity to the marketing sector. The DMA 
created its own guidance on this topic with input from the ICO. The ICO could use examples from the 
DMA’s guidance as it uses industry language that marketers know and understand. This will help to 
ensure a consistent and responsible approach to using third party data across the UK. 


e Example: Targeted online advertising 


A brand that holds names and addresses and email addresses of its customers might wish to link these 
to digital identifiers (cookies, devices etc.) by using a third party that has created a GDPR compliant 
and permissioned ‘pool’ of these identifiers with associated email addresses and/or postal addresses. 


Once the link has been made, the brand now has a cookie associated with its customer name and 
address data. This allows the brand to use the digital advertising ecosystem and programmatic media 
buying to target personalised advertisements across a range of web sites. This advertising itself will 
typically be carried out on behalf of the brand by its media agency. 


Legal basis: Consent under PECR e.g. the individual has consented to having cookies dropped on their 
device. 
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However, any processing of personal data to support the serving of the advertising (e.g. using linkage 
to help create a relevant audience) may be done under legitimate interest. The new Code should clarify 
if this interpretation is correct. 


Social media advertising 


The new Code must have a specific section covering the use of social media advertising and marketing 
using internet based services. The political advertising scandals in the UK and USA, often using social 
media, show how important it is for clear guidelines on best practice. 


When a brand advertises on Facebook, for example, they do not necessarily exchange personal data 

with Facebook or access personal data about Facebook users. The data is anonymous and therefore an 
individual cannot be directly identified. The new Code should reflect the risk-based approach adopted 
in GDPR as processing anonymous data presents far fewer risks to an individual’s rights and freedoms. 


Example: As part of a seasonal advertising campaign a clothing retailer wants to target existing 
customers ona social media platform with a discounted promotional code. It shares a basic amount of 
personal data with the social media provider so existing customers can be identified and receive the 
promotional code. Any individual that has opted out from receiving marketing is suppressed and will, 
therefore, not receive the promotional code. 


Cookies and online advertising 


There is a tension between the requirements of PECR and GDPR in regards the use of cookies for direct 
marketing. PECR allows for an implied consent approach, with cookie banners telling individuals that 
the web page uses cookies and not offering choice over how those cookies work or how they track 
individuals. This contradicts the consent standard in GDPR and so the new Code must clarify what 


organisations need to tell individuals when using cookies for marketing and how much control they 
must give to individuals. 


The French data protection authority (CNIL) published a decision stating that French start-up company 
Vectaury failed to meet conditions for valid GDPR consent. This was because individuals were not 
aware of organisations that Vectaury may have shared their personal data with. In essence, consent 
cannot be passed from one data controller to another, according to the CNIL decision. However, CNIL’s 
ruling is at odds with the IAB Europe’s Consent Framework for marketing cookies where consent is 
gained by company A and then personal data is shared with a varying number of companies down the 
chain. Many organisations have adopted this framework in order to be compliant with the GDPR. 
Organisations need clear guidance on how to be GDPR compliant and use cookies for marketing. 
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The use of cookies is fundamental to the internet’s current advertising funded model which relies on 


their seamless use. Online publishers generate revenue through the use of targeted advertising and 
without that revenue stream the service would either close or have to be paid for. The ICO should 
allow individuals to exchange their personal data in return for online services where it is permitted by 
law. 


Transparency 


In line with many of the examples stated above, the DMA would like the code to clarify how much 
information an organisation must give an individual when collecting their personal data for marketing. 
It is unclear to organisations how much detail they need to provide and how best to layer their privacy 
notice to ensure individuals receive the appropriate information and at the right time. 


Example: Cookie banner 


A website has a cookie banner and informs individuals that their website uses cookies for marketing, 
analytics and for core website functions. This is the only information in the cookie banner. Individuals 
can then click on a link to learn more about the nature of the processing and choose to turn off 
marketing or analytics cookies, if they wish to. 


DMA Guidance 


Implementing GDPR has proved to be difficult for many organisations due to the lack of a consistent 
interpretation of the law by different organisations. However, there is an emerging consensus in many 
areas, as a result of ICO but also sector specific guidance. The DMA, working with the ICO, created 
GDPR guidance specific to marketing and using case studies and this has helped to foster a more 
consistent application of the law. The new Code should make reference to the DMA’s GDPR guidance 
in order to promote consistent application of GDPR. 


Charities 


Fundraising carried out by the charity sector is considered to be a form of direct marketing. The DMA 
agrees with this approach and that the same rules should apply to fundraising as other industry 
sectors? 


However, charities are treated differently in some respects and unfairly so. Charities are unable to take 
advantage of the existing customer soft opt-in because they have donors and not customers. This is an 
unfair distinction given the fact that fundraising is considered the same as direct marketing. The 
existing customer soft opt-in should be extended to the charity sector. 
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Profiling 


e Profiling underpins direct marketing, without it direct marketing would be reduced to a one-size fits all 
approach. 


e By creating profiles of similar people, marketers can accurately target the right individuals with offers 
they may be interested in. This cuts on wastage and means individuals are more likely see marketing 
that engages them. 


e Profiling is specifically addressed in the GDPR, which brings new obligations for data controllers to 
consider. In particular, profiling activity requires a lawful basis under GDPR. What lawful basis is valid 
will depend upon the context and organisation. The guidance should use examples where consent and 
legitimate interest are used as a lawful basis for profiling. 


e Example: Charity 


A charity collects personal data from its donors and uses that information to analyse individuals and 
create a profile of their interests and preferences so that they can send out fundraising messages 
targeted at particular segments of people. The charity informs individuals in its privacy notice and gives 
people the chance to opt-out. The profiling is done under legitimate interest as the charity deems that 
the profiling is within an individual’s reasonable expectations and that they will not be subject toa 
significant or legal effect as a result. 


Consumer awareness 


e The GDPR is a new law and it is not widely understood by the public. This has led to confusion in some 
quarters about what rights individuals have. The ICO must do more to promote the GDPR and how it 
impacts the public. The DMA is keen to continue to be involved in and build on the existing ‘Your data 
matters’ campaign. 


e Some DMA members have had trouble explaining the right-to-erasure to their customers. The public 
has a limited knowledge of the law but are aware of their right to have their data deleted. This right 
can confuse people, as someone may request to have their data deleted from a marketing suppression 
list and not be aware that this could mean they are sent marketing in the future. It would be useful to 
add examples of when an organisation can legitimately keep someone’s data for marketing 
suppression and how this should be communicated. 


Q2. Apart from the recent changes to data protection legislation are there other developments that are 
having an impact on your organisation’s direct marketing practices that you think we should address in the 
code? 
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e Yes. 


Q3. If yes please specify 
e The DMA’s answer to question 1 covers the main areas that we believe the new Code must cover. 


Q4. We are planning to produce the code before the draft ePrivacy Regulation (ePR) is agreed. We will then 
produce a revised code once the ePR becomes law. Do you agree with this approach? 


e The DMA agrees that this approach is sensible as the final text of the ePrivacy Regulation has not been 
completed and might be delayed substantially. The new Code must first cover the interaction between 
PECR and GDPR. It can then be updated in the future, when or indeed if ePR is approved. 


Q6. Is the content of the ICO’s existing direct marketing guidance relevant to the marketing that your 
organisation is involved in? 


No. 
Q7. If no what additional areas would you like to see covered? 


e The current guidance document has a very narrow definition of direct marketing and does not cover 

some important areas. As stated in our answer to question 1, a summary of the main areas is below: 
o Interaction between the Privacy and Electronic Communications Regulations (PECR) and the 

General Data Protection Regulation (GDPR) 

Postal marketing 

Live Telemarketing 

B2B Marketing 

Third party data 

Social media advertising 

Cookies and online advertising 

Transparency 

DMA Guidance 

Charities 

Profiling 

Consumer awareness 
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Q8. Is it easy to find information in our existing direct marketing guidance? 
e No. 
Q9. If no, do you have any suggestions on how we should structure the direct marketing code? 


e The Code should set out the data protection issues that are common to all forms of direct marketing. 
For example, the lawful basis for processing is a topic that applies to profiling and to all marketing 
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channels. 


e The Code should then go on to provide specific guidance for each marketing channel, each of which 
should be given equal prominence, clearly setting out the available lawful bases, and how marketing 
permission can be gained. 


e There is a lot of repetition in the guidance with marketing activities appearing in different sections. 
More cross-referencing would be useful so that marketers can easily understand how the same rules 
and principles apply to different marketing channels or processing activities. 


Q10 Please provide details of any case studies or marketing scenarios that you would like to see included in 
the direct marketing code. 


e The DMA has provided examples and case studies in our answer to question 1. 
e Moreover, the DMA would be happy to share its data protection and marketing guidance with the ICO 


so common case studies can be adopted by both trade associations and regulators. The DMA has a 
series of GDPR guides as well as guidance on the use of third party data by marketers. 


Q11 Do you have any other suggestions for the direct marketing code? 
e No, please refer to our answer to question 1. 
Conclusion 


e The DMA would be happy to meet with the ICO to discuss the DMA’s response to this call for views. If 
there are any questions arising from the DMA’s response to this consultation, please do not hesitate to 
get in touch using the contact details below. 


DMA Code and guidance documents 


e DMA Code: https://dma.org.uk/the-dma-code 
e DMAGDPR Guidance: https://dma.org.uk/article/dma-gdpr-guidance-for-marketers 


e DMA Third Party Data Guidance: https://dma.org.uk/article/dma-advice-using-third-party-data-under- 
edpr 
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